From ca7aa3f4d3120f304e3170e0a636f0694aef54a5 Mon Sep 17 00:00:00 2001 From: girst Date: Sat, 20 Nov 2021 14:14:59 +0100 Subject: [PATCH] allow limiting proxy to authenticated users g.proxy_on should be accessed through getattr(g, 'proxy_on', None). This allows for the following states: True: proxy can be used False: proxy use is denied; try logging in None: proxy is disabled globally --- app/proxy/__init__.py | 20 +++++++++++++++++++- app/youtube/__init__.py | 5 +++-- config/config.ini | 6 ++++++ 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/app/proxy/__init__.py b/app/proxy/__init__.py index 78d6d19..fbb5e91 100644 --- a/app/proxy/__init__.py +++ b/app/proxy/__init__.py @@ -1,7 +1,10 @@ import re import requests, requests_cache -from flask import Flask, Blueprint, request, Response +from flask import Flask, Blueprint, request, Response, g from flask_login import current_user +from werkzeug.exceptions import Forbidden + +from ..common.common import cf frontend = Blueprint('proxy', __name__) @@ -90,6 +93,21 @@ def hls_manifest(path): def cors_origin(): return f"{request.environ.get('wsgi.url_scheme')}://{request.host}" +def proxy_allowed(): + """ the proxy can be restricted to logged-in users by a config flag """ + require_auth = cf.getboolean('proxy', 'require_auth', fallback=False) + is_authd = not current_user.is_anonymous + return is_authd or not require_auth + +@frontend.before_request +def check_auth(): + if not proxy_allowed(): + raise Forbidden("limited to authenticated users") + +@frontend.before_app_request +def propagate_auth_requirement(): + g.proxy_on = proxy_allowed() + if __name__ == '__main__': app().run(debug=True) diff --git a/app/youtube/__init__.py b/app/youtube/__init__.py index 6c773a4..aecde45 100644 --- a/app/youtube/__init__.py +++ b/app/youtube/__init__.py @@ -92,9 +92,10 @@ def watch(): 'player': errdetails, }.get(error, error) + proxy_on = getattr(g, 'proxy_on', False) # if the video is geolocked, and the proxy is enabled, we can still play # it, if the video is available in the instance server's region: - if error == 'geolocked' and video_url and 'proxy' in current_app.blueprints.keys(): + if error == 'geolocked' and video_url and proxy_on: videoplayback = url_for('proxy.videoplayback') query = urlparse(video_url).query video_url = f"{videoplayback}?{query}" @@ -105,7 +106,7 @@ def watch(): error = None # if the proxy is enabled, we can also play livestreams: - if error == 'livestream' and 'proxy' in current_app.blueprints.keys(): + if error == 'livestream' and proxy_on: # Note: hlsManifestUrl's hostname will be replaced client-side video_url = stream_map['hlsManifestUrl'] error = None diff --git a/config/config.ini b/config/config.ini index 89db0b4..2342eed 100644 --- a/config/config.ini +++ b/config/config.ini @@ -30,6 +30,12 @@ modules = browse,youtube,webhooks,proxy,reddit # seperately; used for 'websub' and 'captcha' features): public_uri = http://delta.gir.st:8801 +[proxy] +# since proxying video files takes a lot of bandwidth, it can be restricted to +# only logged-in users (to completely disable, just remove 'proxy' from the +# modules in the [frontend] section): +require_auth = yes + [websub] # real-time updates of subscriptions. -- 2.39.3